.png)
SSPR will only accept explicitly registered authentication methods
Microsoft has announced a tightening of how Self-Service Password Reset verifies identity in Microsoft Entra ID. Today, SSPR can fall back to contact information stored in directory attributes such as mobile phone, business phone, or alternate email, even when those values were never registered by the user as authentication methods. Going forward, only explicitly registered methods will be accepted. The change is part of Microsoft's Secure Future Initiative and ensures password resets rely on trusted, user-validated methods rather than directory-sourced values. Users without a registered method at enforcement will be unable to complete a reset and will be prompted to register or contact an administrator. Microsoft notes that around 86 percent of SSPR verifications already use registered methods, so for many tenants the operational impact will be limited — but the remaining tail is where helpdesk pressure tends to land.
Admins should start in the Microsoft Entra admin center under Authentication methods and User registration details to review coverage across users and administrators. Enabling the SSPR registration campaign will prompt affected users automatically, and it is worth planning a fallback path for anyone who cannot self-register, including helpdesk-assisted registration. Guidance is available in the Microsoft Learn documentation for SSPR policy and for prepopulating authentication contact information.
The registration campaign begins on 6 July 2026, and enforcement starts on 7 September 2026. General availability rolls out worldwide, including GCC and GCC High, from early to mid September 2026.
Timetables may change, so keep an eye on the Message center or roadmap for the most current dates.
Timetables may change, so keep an eye on the Message center or roadmap for the most current dates.
New Entra service plans for Conditional Access and ID Protection for agents
Microsoft has announced two new Microsoft Entra service plans that will be added to Microsoft Agent 365 and Microsoft 365 E7: Entra Conditional Access for Agents and Entra ID Protection for Agents. The intent is to extend the familiar Entra protection model to agent scenarios, so organizations can apply Conditional Access and Identity Protection policies to AI agents the same way they already do for users and workloads. For customers already invested in Agent 365 or E7, this aligns agent identity protections with existing licensing and reduces some of the complexity that has crept in as agent capabilities have matured.
There is nothing to configure to receive the change. The service plans, identified by the part numbers ENTRA_CONDITIONAL_ACCESS_FOR_AGENTS and ENTRA_ID_PROTECTION_FOR_AGENTS, will be added automatically and enabled by default, and existing Conditional Access or ID Protection policies will not be altered. The one nuance worth flagging is licensing scope: organizations that use Conditional Access or ID Protection for agents without Microsoft Agent 365 or Microsoft 365 E7 will need the appropriate license to continue using those capabilities. It is a good moment for IT, identity, security, and licensing teams to align on which SKU covers which agent scenario, and to refresh internal documentation and helpdesk guidance accordingly.
General availability begins worldwide in early July 2026 and is expected to complete by early August 2026.
Rollout windows may shift, so check the Message center or roadmap for the most up-to-date timing.
Thanks for reading. If you'd like to follow along with future Microsoft 365 updates, you can connect with me on LinkedIn
Comments